6 audits in progress at NCUA, OIG says in latest semiannual report to Congress

A semiannual report covering the period of April 1 through Sept. 30 of this year shows a half-dozen inspector general audits in progress at the National Credit Union Administration (NCUA) and a handful of “significant” recommendations from past audit reports yet to be implemented.

The NCUA Office of Inspector General (OIG) also reported no credit union failures for which a material loss review was called for during the period, as none had caused a significant enough loss (exceeding $25 million and an amount equal to 10% of the total assets of the credit union when assistance was initiated) to the National Credit Union Share Insurance Fund (NCUSIF).

The six audits in progress focus on the NCUA’s:

  • Bank Secrecy Act (BSA) enforcement;
  • federal credit union chartering activities;
  • 2023 financial statements (for the agency’s operating fund, NCUSIF, and Central Liquidity Facility [CLF]);
  • cloud computing services;
  • examiner-in-charge rotation limits;
  • examination hours (the NCUA’s effectiveness in establishing examination hours; and whether the NCUA is ensuring proper regulatory safeguards remain in place to protect the credit union system, credit union members, and the Share Insurance Fund while responsibly managing the examination burden on credit unions).

The agency’s list of OIG reports with “significant” unimplemented recommendations – with NCUA management having agreed to implement corrective action but yet to complete it – as of Sept. 30 include:

  1. OIG-20-07 Audit of the NCUA’s Examination and Oversight Authority of Credit Union Service Organizations and Vendors, issued September 1, 2020, recommendation #1. Continue efforts to work with appropriate Congressional committees regarding amending the Federal Credit Union Act to grant the NCUA the authority to subject credit union service organizations and credit union vendors to examination and enforcement authority to the same extent as if they were an insured credit union.
  2. OIG-18-07 FY2018 Federal Information Security Modernization Act Compliance, issued October 31, 2018, recommendation #8. The Office of the Chief Information Officer (OCIO) enforce the policy to remediate patch and configuration related vulnerabilities within agency defined timeframes.
  3. OIG-22-06 Audit of the NCUA’s Minority Depository Institutions Preservation Program, issued September 8, 2022, recommendation #2. Implement and document in appropriate policy and procedures a process to validate whether minority depository institutions continue to meet the minority depository institution definition.

The report also lists several audits reports older than six months where certain recommendations have yet to be implemented.

NCUA OIG Semiannual Report to the Congress April 1 – September 30, 2023